In a lot of organizations, internet access is controlled via a proxy that most likely also requires authentication. Rather than provide your username and password to every piece of software (which may or may not store them securely), we can setup a local proxy server that securely stores the credentials for us and provides an easy url with which the internet can be accessed.
Enter cntlm, an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy. In this article we setup cntlm on windows as a local proxy service. Note that cntlm is not windows specific however and that its essential purpose is to enable using a windows proxy requiring NTLM authentication when using a non windows machine!
The first order of business is to install cntlm from the downloads
page. Next head to
C:\Program Files\Cntlm (or
C:\Program Files (x86)\Cntlm). Here we will
need to modify
cntlm.ini but it is a restricted file so open up a text editor with administrative
privileges and open the
cntlm.ini file manually. Here we can configure the username, domain and proxy
settings. Leave the authentication settings as is for the moment.
# # Cntlm Authentication Proxy Configuration # # NOTE: all values are parsed literally, do NOT escape spaces, # do not quote. Use 0600 perms if you use plaintext password. # Username snoop Domain snoopsrealm # List of parent proxies to use. More proxies can be defined # one per line in format <proxy_ip>:<proxy_port> # Proxy proxy.snoop.com:8080 # List addresses you do not want to pass to parent proxies # * and ? wildcards can be used # NoProxy localhost, 127.0.0.*, 10.*, 192.168.*, *.snoop.com
Next up open up a console with administrator privileges (
cmd.exe) and navigate to where the cntlm exe is
located. Here we will test our proxy configuration and generate the credentials that are required to set up the proxy
C:\Program Files (x86)\Cntlm>cntlm.exe -I -M http://google.com 2 [main] cntlm 17484 find_fast_cwd: WARNING: Couldn't compute FAST_CWD pointer. Please report this problem to the public mailing list email@example.com cygwin warning: MS-DOS style path detected: C:\Program Files (x86)\Cntlm\cntlm.ini Preferred POSIX equivalent is: /Cntlm/cntlm.ini CYGWIN environment variable option "nodosfilewarning" turns off this warning. Consult the user's guide for more details about POSIX paths: http://cygwin.com/cygwin-ug-net/using.html#using-pathnames Password: Config profile 1/4... Credentials rejected Config profile 2/4... OK (HTTP code: 301) ----------------------------[ Profile 1 ]------ Auth NTLM PassNT 9B1D4583333333333333333333314A2F PassLM 992B29F333333333333333333343A5C7 ------------------------------------------------
What has happened above is that we tried connecting to
http://google.com (note the non https connection)
and cntlm figured out what authentication method the proxy supports and provided us with the credentials we should
use. Thus, we can copy the Auth, PassNT and PassLM lines into
# NOTE: Use plaintext password only at your own risk # Use hashes instead. You can use a "cntlm -M" and "cntlm -H" # command sequence to get the right config for your environment. # See cntlm man page # Example secure config shown below. # PassLM 1AD35398BE6565DDB5C4EF70C0593492 # PassNT 77B9081511704EE852F94227CF48A793 ### Only for user 'testuser', domain 'corp-uk' # PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB Auth NTLM PassLM 992B29F333333333333333333343A5C7 PassNT 9B1D4583333333333333333333314A2F
Once the authentication is copied over, we can start the cntlm service via
net start cntlm in the
console. This fires up a local proxy server running on
http://localhost:3128. We can now test connecting
to the internet using this proxy. Note that the command to stop the cntlm service is
net stop cntlm. A
few software configurations are provided below:
- Bash: environment variables
https_proxy. You can set up environment variables via windows by right clicking on My Computer, Properties -> Advanced -> Environment Variables -> New User Variables
git config --global http.proxy="http://localhost:3128"and a similarly configured
https.proxy. You most likely also need
git config --global http.strict-ssl=false.
npm config set proxy http://localhost:3128and a similarly configured
Finally note that if you are running a virtual machine on windows via virtualbox then you can use the proxy running
on the host machine as well. Simply set the proxy to use
http://10.0.2.2:3128, where 10.0.2.2 is
generally the IP of your Windows host.